Security Awareness

A vulnerability management program is a critical task that all organizations should be running. Part of this program involves the need to patch systems regularly and to keep installed software up to date. Once a vulnerability program is in place organizations need to remediate discovered vulnerabilities quickly. Occasionally some discovered vulnerabilities are false positives. The problem with false positives is that manually vetting them is time-consuming. There are tools available, which assist in showing what patches may be missing, like SCCM, but can be rather costly. For organizations concerned that these types of programs hurt their budgets, there are free options available. PowerShell is free software that, if utilized, can complement an organization's vulnerability management program by assisting in scanning for unpatched systems. This paper presents a PowerShell script that provides Administrators with further insight into what systems are unpatched and streamlines investigations of possible false positives, with no additional cost.

It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage.
This survey highlights the importance of managing internal threats as the key to winning at cyber security.

The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.

Malware has become a growing concern in a society of interconnected devices and realtime communications. This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network. Analyzing live ransomware gives a unique three-dimensional perspective, visually locating crucial signatures and behaviors efficiently. In lieu of reverse engineering or parsing the malware executable’s infrastructure, live analysis provides a simpler method to root out indicators. Ransomware touches just about every file and many of the registry keys. Analysis can be done, but it needs to be focused. The analysis of malware capabilities from different datasets, including process monitoring, flow data, registry key changes, and network traffic will yield indicators of compromise. These indicators will be collected using various open source tools such as Sysinternals suite, Fiddler, Wireshark, and Snort, to name a few. Malware indicators of compromise will be collected to produce defensive countermeasures against unwanted advanced adversary activity on a network. A virtual appliance platform with simulated production Windows 8 O/S will be created, infected and processed to collect indicators to be used to secure enterprise systems. Different tools will leverage datasets to gather indicators, view malware on multiple layers, contain compromised hosts and prevent future infections.

Internal defense is a perilous problem facing many organizations today. The sole reliance on external defenses is all too common, leaving the internal organization largely unprotected. The times when internal defense is actually considered, how many think beyond the fallible antivirus (AV) or immature data loss prevention (DLP) solutions? Considering the rise of phishing emails and other social engineering campaigns, there is a significantly increased risk that an organization’s current external and internal defenses will fail to prevent compromises. How would a cyber security team detect an attacker establishing a foothold within the center of the organization or undetectable malware being downloaded internally if a user were to fall for a phishing attempt?

On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.

Data Exfiltration is arguably the most important target for a security researcher to identify. The seemingly endless breaches of major corporations are done via channels of various stealth, and an endless array of methods exist to communicate the data to remote endpoints while bypassing Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, and proxies. This research examines a novel way to perform this data exfiltration, utilizing port knocking over User Datagram Protocol. It focuses specifically on the ease at which this can be done, the relatively low signal to noise ratio of the resultant traffic, and the plausible deniability of receiving the exfiltration data. Particular attention is spent on an implemented Proof of Concept, while the complete source code may be found in the Appendix.

A review by SANS analyst and instructor Dave Shackleford of Raytheon|Websense SureView Insider Threat. It discusses the product's ability to assist security teams in their efforts to mitigate the threats posed by trusted insiders.

A review of Rapid7 UserInsight by SANS senior analyst Jerry Shenk. It discusses a tool that highlights user credential misuse while tracking endpoint system details that would be valuable to an incident response team.

A spate of high-profile security breaches and attacks means that security practitioners find themselves thinking a lot about incident response. A new SANS incident response survey explores how practitioners are dealing with these numerous incidents and provides insight into incident response plans, attack histories, where organizations should focus their response efforts, and how to put all of the pieces together.

A great deal of money has been spent by organizations on security technology, with only moderate success. Technology is often installed, but often left untuned and unmonitored. Though vendors have touted self-defending networks (Gleichauf, 2005), and claimed their products are impervious, reality teaches otherwise.

Absolute security does not exist and nor can it be achieved. The statement that a computer is either secure or not is logically falsifiable (Peisert & Bishop, 2007), all systems exhibit a level of insecurity.

This paper discusses techniques attackers use to exploit missing insider controls and offers a cohesive set of cyber, operational and physical controls to manage a range of user access types for better security and compliance in utility control environments.

“Perceived Control” is a core construct used in the psychology field that can be considered an aspect of empowerment (Eklund, & Backstrom, 2006). Effectively, it is a measure of how much control people feel that they have, as opposed to the amount of “Actual Control” that they may have. It is often paired against constructs such as “Vicarious Control” and “Vicarious Perceived Control”, which measure the amount of control that outside entities have over the subject. Often, these are variables measured in the psychology/health field. For example, in the world of medicine, when patients report a lack of perceived control over controllable illnesses such as diabetes (Helgeson, & Franzen, 1997), breast cancer (Helgeson, 1992) and heart disease (Helgeson, 1992), they often do more poorly than patients who feel that they have a greater sense of control over their illness. There is also evidence that students with high perceived control do substantially better academically than those with low, though this seems to also link with emotions surrounding the tasks at hand (Ruthig, Perry, Hladkyj, Hall, & Pekrun, 2008). In short, people who are interested in and excited by what they are doing tend to perform better.

Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

One of the greatest threats to information security could actually come from within your company or organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).

This paper proposes a framework for implementing, operating and testing document security controls within an organization. While much security management is meant to prevent people from doing things they ought not do, a framework is meant to help people do what they ought to do. In the case of the Controlled Event Framework for Information Asset Security, people are directed with some
specificity on how to handle documents so they do their work effectively and securely.

This paper explores data leakage and how it can impact an organization. Because more forms of communication are being utilized within organizations, such as Instant Messaging; VOIP; etc, beyond traditional email, more avenues for data leakage have emerged.

Information Security is not just technology. It is a process, a policy, and a culture. Our organization had spent millions of dollars on technology to keep the "bad guys" out, but we had spent little time building the foundations of our Information Security Program.

This paper will proceed in a very logical manner to describe how a sequential development life cycle increases in depth as security is applied. Each major portion of the paper will address a phase of the system development lifecycle.

The insidious nature of spyware combined with the lack of user awareness and spyware's potential for surveillance, data gathering and system hijacking pose a threat to home users and businesses. Commercial interests, the technology industry, consumers and legislators must combine efforts to address this threat.

CIOs, managers and staff are faced with ever increasing levels of complexity in managing the security of their organizations and in preventing attacks that are increasingly sophisticated. As individuals we are subjected to enormous amounts of information across broad ranges of subjects, for example, security policies, new technologies, new patches, new threats, new sources of information, the list is endless.

This essay explores the reasons for the poor state of PC security that currently exists. This essay focuses on the end users rather than the administrators. Threats and solutions are examined form an end-user's perspective.

Although the aftermath of September 11th has brought to the forefront the realization that security threats are real, most companies are still far from creating a culture of security awareness within their organizations.

Every security safeguard a computer user takes will reduce the number of people skilled enough to break into their computer. After all, there are a finite number of people who have the skill required to break into computer systems.

This document is a review of the various programs and processes that should be in place within any organization for the protection of their information assets. The many areas of any organization's security program play key roles in supporting the certification and accreditation (C&A) process of an organization's information assets.

Let us assume your business is fairly accomplished in the Risk Assessment evolutionary ladder. Perhaps your company already assesses its network configurations regularly, all the applications in use have been reviewed for stringent security guidelines, maybe the IT team has even classified all your corporate information assets, and the vulnerability assessments are complete.

This paper examines an overview of the common pin tumbler lock and the five methods to exploit them. Pin tumbler locks are found in a vast majority of residential, commercial, government and educational institutions.

This paper explains the basic principles of quantum cryptography and how these principles apply to quantum key distribution. One specific quantum key distribution protocol called is described in detail and compared to traditional (nonquantum) cryptographic systems.

The intent of this paper is to discuss wireless networks and why it is useful to organizations, namely healthcare organizations. Once we have established the foundation for why we need wireless, we will cover the vulnerabilities and problems with wireless networks.

Distributed computing allows groups to accomplish work that was not feasible before with supercomputers, due to cost or time constraints. Although the primary functions of distributed computing systems is to produce needed processing power to complete complex computations, distributed computing also reaches outside of the processing arena to other areas such as network usage.

This paper was written to raise security awareness and provide corporate employees with essential security information that emphasizes critical issues surrounding an implementation of security "best practices" throughout an organization.

This essay describes how to successfully implement a comprehensive Security Training, Awareness, and Education program within a federal arena and further illustrates these processes are applicable and utilized in commercial organizations as well by using the Instructional System Design (ISD) process or model.

This paper applies the principles of community policing and crime prevention to the Internet and details establishing relationships between law enforcement and potential victims, their individual roles and responsibilities, and some of the problems the relationship may alleviate such as fears a victim may have concerning the reporting of cybercrime.

The role of Information Security is essential for the protection of consumers, businesses, governments, and the U.S. and World economy from the threats caused by the natural advancement of Information Technology and society as we know it.

This paper examines the importance of security awareness, how it supports the fundamental goals of an information security program and provides a recommendation for implementing an effective security awareness strategy.

There are steps we can take to improve computer security. For corporate computers, the answer is twofold: make security a priority for the organization and get security expertise either by hiring or training.

This practical defines the current state of business operations, security design function, introduction policy development, security awareness, and communicates our new found knowledge to the IT security design team.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.